User profile for user: Jonsey
Jonsey Author
User level: Level 1
0 points

Login fails (the shaking window) in Open Directory setup

I'm so frustrated with Apple! I've been working with the client/server setup since the first relase of OS X and it has never worked successfully!! At least for an extended period of time. Anyway, here's my situation. I've got a Dual 2.3GHz G5 with Mac OS X Server 10.4.3 setup as a an Open Directory Master with just Web and AFP services running. The clients get DNS and DHCP from a Windows box in our office. I've got a record (and PTR) for my Mac server on the DNS server. Directory Access is also configured properly on the server side with LDAPv3 being set to 'Open Directory Server' and obviously the ip of the server, (Authentication and Contacts have server ip as well). In WM I've got the Computer preferences Login set to show network users. So here's where my problem is. On the client side at the login window I can see all the network users I've created but none of them can authenticate. (I get the spinning beach ball thing and then of course my favourite, the shaking window)
If I login as a local user and then connect through AFP from the Go menu it work fine, but not from the login window. At first I thought this was a DNS issue but it can't be because the client machine resolves the Mac server both ways, name to ip and ip to name (I tested through commands from the Terminal). And even when I configured the Directory Access settings as soon as I put in the name of the server it automatically searched and found the server and setup as 'From Server' . Aunthentication and Contacts point the Mac server as well. I've had this problem with every relase of Mac OS X Server except for Panther. I had that running smoothly last year in one of our schools until one day out of the blue the logins became incredibly slow and eventually I decided to switch the lab to local accounts and then the students could connect to the server from the 'Go' menu. I've been in contact with Apple several times over the last few years with the same problem, even worked directly with the Engineers and still I have yet to have a fix. Apple has given me several things to try and has even been out to my site and still no luck. I've tried just about everything I know, fresh installs several times over and over to setting up client/server on an unmanaged switch isloated from my LAN and even used a host file. Log files don't show much either. I know I haven't listed eveything I've tried because there are so many things. And from reading the forums I know people who have the exact same problem but have never found a fix! Any help would be greatly appreciated! There must be someone out there who has an answer!

Posted on Nov 23, 2005 6:28 AM

Reply
3 replies
User profile for user: Gerrit DeWitt
Gerrit DeWitt
User level: Level 4
3,900 points

Nov 24, 2005 2:11 AM in response to Jonsey

(I get the spinning beach ball thing and then of course my favourite, the shaking window)

This behavior can be the result of changing the server's hostname after initial setup. I would check the following:

1. You may have already done this, but: On the server and one a test client, use lookupd -d to find your server:

a. Verify address to name resolution:
lookupd -d then
hostWithInternetAddress: <server's IP> and press return

Look for the server's DNS name after name

b. Verify name to address resolutioin:
lookupd -d then
hostWithName: <server's DNS name> and press return

Look for the server's primary IP after ip_address

Judging by your post, you've probably already accomplished the preceding.

2. Check server's hostname:

a. On your server, edit the /etc/hostconfig file: sudo pico /etc/hostconfig. Look for the HOSTNAME line. The value for HOSTNAME should be your server's DNS name.

Note that the default server configuration is to use the -AUTOMATIC- variable (e.g., HOSTNAME=-AUTOMATIC-), where the hostname is determined by the first true item in this list: the DHCP client ID for the server, the name returned by reverse DNS lookup, the local host name (the Bonjour name), the string "localhost". I recommend changing the HOSTNAME entry to read HOSTNAME=<your server's DNS name> (e.g., HOSTNAME=server.company.private).

b. On the server, type hostname at a local Terminal or remote ssh session. Verify that it returns the server's DNS name. If it does not, change it by typing sudo hostname <server's DNS name>, then verifying with hostname again.

3. Ensure that the following ports are open for your network on your server's firewall: AFP, DNS, all LDAP, all NetInfo, all RPC and authentication services, all Password Server, and all Kerberos.

4. If you've recently changed your server's hostname and haven't run the changeip command, do so now to update your server's Open Directory database. Note that changeip won't actually change your server's IP address:

sudo changeip /LDAPv3/127.0.0.1 <server's IP address> <server's IP address again> <old hostname> <new hostname>

You will be prompted to enter a directory administrator's name and password.

5. Check Kerberos status: Open Server Admin, log on to your server, and click Open Directory. In the status section, verify that Kerberos is running. If it's not, click Settings, then click Kerberize in the Role section. Enter the directory administrator's name and password to start Kerberos.

Note that if the server's hostname command previously returned a local host name (that is, a host name from Bonjour), then Kerberos didn't start previously.

6. Enable single-sign-on: Vist http://docs.info.apple.com/article.html?artnum=302044 and enter the last two commands listed in step 5 there. These are the two commands that involve sso_util.

7. Refresh automounts stored in the Open Directory domain: For some reason, I've had to perform this additional step in situations where the login window failed to authenticate one or all users after the changes listed above.

With no users connected, open Workgroup Manager and log on to your server. Click Sharing, then select each share point that has a corresponding automount record and un-check the "share this item" box. You'll be asked to authenticate as a directory administrator so that the corresponding mount record will be deleted. Click Apply. Then, locate and re-check the "share this item" box for each previously-defined share point. Click Network Mount and recreate the appropriate mount record for the share point. Be sure that you perform this procedure for network home directory share points as well as static automounts, such as a shared Library.

8. Check home and home_loc properties for a few user accounts: Using the All Records Inspector tab in Workgroup Manager, select an account and look for the two home records (NFSHomeDirectory). These should take the form of /Network/Servers/<server's DNS name>/<path>/<home directory share point>/<user name>. Also check the two home_loc records. These should indicate <url>afp://<server's DNS name>/<home directory share point></url><path><user name></path>.

You may need to use the Home tab in the Accounts section to reset the locations of user homes. You can do so en-masse if several home locations need to be updated.

9. Unbind, rebind, and restart each client: Using Directory Access, unbind and delete the LDAP configuration of your server, then rebind and restart to refresh network mounts.

10. Try logging in again.

Hope this helps!

--Gerrit
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Login fails (the shaking window) in Open Directory setup

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up